Hazelnut update (v5.4.0)

What's Changed

New features:

• Introduced support for issuing and receiving credentials over OpenID4VCI (OpenID Connect for Verifiable Credential Issuance).
  If the node's /n2n endpoint runs on port 443, the node will automatically configure its DIDs for OpenID4VCI support.
  If running on another port, additional action is required. See openid4vci documentation for more information.
• Added certificate info to peer diagnostics.
• Added last connection error and the date/time of the next connection attempt to the network's address book.

Bug fixes/improvements:

• Diagnostics now shows correct number of owned conflicted DID document (vdr.conflicted_did_documents.owned_count).
• Added background job that periodically checks the node's network state and fixes incorrect XOR hashes.
  This can happen in certain high-load cases on Redis.
• Network peer authentication failures are now logged on debug instead of warn, leading to less chatter.
  To find out what error occurred, you should now look at the network's address book. /internal/network/v1/addressbook
• When creating new DID documents, the VDR now checks whether the specified controllers actually exist.
• Helm chart got updated (@henk-hofs-pink).

Full Changelog: v5.3.0...v5.4.0

v5.4.0-rc.2

What's Changed (since rc.1)

• Output certificate as PEM when DNS names not match by @woutslakhorst in #2342
• use correct error on banned by @woutslakhorst in #2344
• OpenID4VCI: Enable by default by @reinkrul in #2346

Full Changelog: v5.3.0...v5.4.0-rc.2

v5.4.0-rc.1

New features:

• Introduced support for issuing and receiving credentials over OpenID4VCI (OpenID Connect for Verifiable Credential Issuance).
  If the node's /n2n endpoint runs on port 443, the node will automatically configure its DIDs for OpenID4VCI support.
  If running on another port, additional action is required. See :ref:openid4vci for more information.
• Added certificate info to peer diagnostics.
• Added last connection error and the date/time of the next connection attempt to the network's address book.

Bug fixes/improvements:

• Diagnostics now shows correct number of owned conflicted DID document (vdr.conflicted_did_documents.owned_count).
• Added background job that periodically checks the node's network state and fixes incorrect XOR hashes.
  This can happen in certain high-load cases on Redis.
• Network peer authentication failures are now logged on debug instead of warn, leading to less chatter.
  To find out what error occurred, you should now look at the network's address book. /internal/network/v1/addressbook
• When creating new DID documents, the VDR now checks whether the specified controllers actually exist.
• Helm chart got updated (@henk-hofs-pink).

What's Changed

• Added last error and next connection attempt to addressbook stats by @woutslakhorst in #2237
• Bump google.golang.org/grpc from 1.55.0 to 1.56.0 by @dependabot in #2258
• Bump github.com/prometheus/client_golang from 1.15.1 to 1.16.0 by @dependabot in #2255
• change default NATS hostname to 0.0.0.0 by @woutslakhorst in #2257
• Migrate e2e tests to nuts-node repo by @reinkrul in #2253
• Bump github.com/lestrrat-go/jwx from 1.2.25 to 1.2.26 in /e2e-tests/auth/selfsigned by @dependabot in #2259
• Network: re-validate peers after denylist update by @gerardsn in #2238
• replace direct String return with specific error writer by @woutslakhorst in #2261
• Docs: add proxy_buffering and client_max_body_size to example NGINX config by @reinkrul in #2236
• e2e tests: use nuts-node APIs from workspace by @reinkrul in #2262
• Remove issue comment by @gerardsn in #2266
• Meh: typos by @gerardsn in #2265
• rewrite github docker action set-output by @woutslakhorst in #2263
• rewrite CORS tests to use correct headers by @woutslakhorst in #2264
• Bump github.com/nats-io/nats-server/v2 from 2.9.18 to 2.9.19 by @dependabot in #2268
• go mod tidy by @woutslakhorst in #2270
• OpenID4VCI: Refactor credential offers and access tokens for validity checking by @reinkrul in #2232
• e2e tests: make browser tests part of project by @reinkrul in #2275
• Bump github.com/nats-io/nats.go from 1.27.0 to 1.27.1 by @dependabot in #2276
• Bump google.golang.org/grpc from 1.56.0 to 1.56.1 by @dependabot in #2271
• killed popups when testing by @woutslakhorst in #2282
• Bump google.golang.org/protobuf from 1.30.0 to 1.31.0 by @dependabot in #2284
• Network: set Peer.Certificate on bootstrap connections by @gerardsn in #2280
• OID$VCI: rename types to type by @gerardsn in #2286
• OIDC: Rename invalid proof error codes by @gerardsn in #2285
• e2e tests: vault was moved to hashicorp/vault by @reinkrul in #2288
• only enable latest tag for docker if build tag equals latest github tag by @woutslakhorst in #2267
• Embed test PEM files instead of referencing via paths by @reinkrul in #2277
• OIDC4VCI: compare offered and received credential types for equality by @gerardsn in #2272
• Helm: do not set new chart as latest release by @gerardsn in #2293
• Bump github.com/alicebob/miniredis/v2 from 2.30.3 to 2.30.4 by @dependabot in #2292
• VCR Search: don't log each individual invalid search result by @reinkrul in #2294
• only allow openid4vci calls over https when strictmode is enabled by @woutslakhorst in #2290
• Feature/2058/oidc4vci/definitions by @woutslakhorst in #2287
• fix typo: credentials_definition -> credential_definition by @gerardsn in #2296
• Cleanup: remove network.publicaddr config properties, doesn't exist anymore by @reinkrul in #2297
• OpenID4VCI: DID service with base URL for wallet/issuer discovery by @reinkrul in #2240
• generate and check c_nonce for credential request by @woutslakhorst in #2298
• Cleanup: use --wait in e2e tests by @reinkrul in #2303
• Cleanup: remove old network.tls properties from e2e tests by @reinkrul in #2302
• OpenID4VCI: fix unknown nonce error by @reinkrul in #2305
• e2e-tests: removed prepare.sh scripts with env variable node DIDs by @reinkrul in #2306
• e2e-tests: replace sleeps with waitFor by @reinkrul in #2307
• Network: add certificate to peer diagnostics by @gerardsn in #2278
• Migrate golang/mock to uber/mock by @gerardsn in #2310
• Bump golang.org/x/crypto from 0.10.0 to 0.11.0 by @dependabot in #2319
• Pass didStore instead of service wrappers by @woutslakhorst in #2301
• OpenID4VCI: Golden Hammer for fixing services in DID services by @reinkrul in #2239
• Bump go.uber.org/mock from 0.1.0 to 0.2.0 by @dependabot in #2322
• add xor tree repair loop by @woutslakhorst in #2309
• Bump google.golang.org/grpc from 1.56.1 to 1.56.2 by @dependabot in #2321
• OpenID4VCI: Validate credential_definition and compare with credential by @gerardsn in #2308
• OpenID4VCI: Remove TLS support TODO (already fixed) by @reinkrul in #2326
• Rename OIDC4VCI to OpenID4VCI by @reinkrul in #2325
• Remove DID restore from restore procedure by @woutslakhorst in #2328
• Add backup for private credentials by @woutslakhorst in #2323
• PKI: add denylist Key and URL by @gerardsn in #2329
• Bump golang from 1.20.5-alpine to 1.20.6-alpine by @dependabot in #2334
• Release notes for v5.4.0-rc.1 by @reinkrul in #2331
• go mod tidy by @gerardsn in #2335
• OpenID4VCI: Re-use http.Client for connection re-use by @reinkrul in #2327
• Docs: update deprecated NGINX http2 directive by @gerardsn in #2338
• Configure backup shelves for credentials and revocations by @woutslakhorst in #2341
• VDR: CMD and API use same defaults when creating a new DID by @gerardsn in #2339

Full Changelog: nuts-node-v5.3.0...v5.4.0-rc.1

nuts-node-chart-0.0.3

A NUTS node Helm chart for Kubernetes

Hazelnut update (v5.3.1)

Release date: 2023-06-13

• Fixed issue where a Reprocess failed due to missing data

Full Changelog: v5.3.0...v5.3.1

Hazelnut update (v5.2.3)

Release date: 2023-06-13

• Fixed issue where a Reprocess failed due to missing data

Full Changelog: v5.2.2...v5.2.3

Hazelnut update (v5.1.2)

Release date: 2023-06-13

• Fixed issue where a Reprocess failed due to missing data

Full Changelog: v5.1.1...v5.1.2

Hazelnut update (v5.3.0)

• Automatically resolving of node DIDs has been removed, since it caused more confusion than it simplified things.
  It was only meant for workshop/demo purposes and not allowed in strict mode, so the impact should be very limited.
  If you didn't configure a node DID but do want to exchange private credentials,
  you now have to configure it explicitly using network.nodedid.
• The tls.crl.maxvaliditydays config flag has been deprecated. CRLs are now updated more frequently, making this option obsolete.
• Adds support for RFC019 and RFC020, which describe a new EmployeeIdentity authentication means which allows an employer to make claims
  about the identity of their employees. This has a lower level of assurance, but can be used when care organisations trust each others employee enrollment process.
• Fixed issue where VDR could no longer update broken DID Documents.
• Added API calls to Didman to update endpoints and compound services (previously, they had to be deleted and then recreated to change them).
• NutsAuthorizationCredentials and NutsOrganizationCredentials now require a valid credentialSubject.id (meaning it is a DID).

What's Changed

• Bump github.com/goodsign/monday from 1.0.0 to 1.0.1 by @dependabot in #1992
• Network: adjusted 'node DID not set' log when strict mode is not set to WARN by @reinkrul in #1990
• Bump google.golang.org/protobuf from 1.29.1 to 1.30.0 by @dependabot in #1991
• DIDman: Strict API interfaces by @reinkrul in #1958
• VDR: Strict OpenAPI interfaces by @reinkrul in #1807
• Docs: describe security model by @reinkrul in #1887
• CRL: update deprecated logic by @gerardsn in #1989
• Auth: only connect to HTTPS endpoints when in strict mode by @reinkrul in #1922
• fix finding issued credentials by @woutslakhorst in #1994
• update diagnostics with owned did conflicts by @woutslakhorst in #1997
• Fix non-visible commands in documentation by @beardedfoo in #1998
• Bump google.golang.org/grpc from 1.53.0 to 1.54.0 by @dependabot in #2001
• Bump github.com/privacybydesign/irmago from 0.12.1 to 0.12.2 by @dependabot in #2000
• Auth: fix failing test by @gerardsn in #1999
• Bump github.com/nuts-foundation/go-stoabs from 1.6.0 to 1.7.0 by @dependabot in #2003
• Network: move outbound_connectors to separate diagnostics page by @reinkrul in #1966
• fix correct loading order of data in issuer store by @woutslakhorst in #1995
• refactor tls.Config creation on grpc connection manager by @woutslakhorst in #2004
• Crypto: storage funcs now pass context by @reinkrul in #1996
• VCR: Strict API interfaces by @gerardsn in #1967
• Bump github.com/nats-io/nats.go from 1.24.0 to 1.25.0 by @dependabot in #2006
• x509: show offending URL in CRL validator sync errors by @reinkrul in #2008
• Core: originate errors from modules in system lifecycle by @reinkrul in #2007
• Bump alpine from 3.17.2 to 3.17.3 by @dependabot in #2014
• JWM support in NUTS, part 2. The (de/en)crypt_jwe methods by @rolandgroen in #1912
• Network: Remove NodeDIDResolver by @gerardsn in #2016
• Auth: make Access Token duration configurable by @gerardsn in #2017
• Upgrade to Go 1.20 by @gerardsn in #2019
• Bump github.com/spf13/cobra from 1.6.1 to 1.7.0 by @dependabot in #2020
• Bump go-stoabs to v1.8.1 and go-redis to v9.0.3 by @gerardsn in #2021
• Bump golang from 1.20.2-alpine to 1.20.3-alpine by @dependabot in #2023
• use transport.Peer in conversation instead of PeerID by @woutslakhorst in #2024
• Bump golang.org/x/crypto from 0.7.0 to 0.8.0 by @dependabot in #2027
• CRL: replace validator by @gerardsn in #2011
• Bump github.com/twmb/murmur3 from 1.1.6 to 1.1.7 by @dependabot in #2043
• Network: nodeDID is not a pointer by @gerardsn in #2055
• Network: grpcConnectionManager construction can return errors to prevent panics by @gerardsn in #2046
• Bump github.com/prometheus/client_golang from 1.14.0 to 1.15.0 by @dependabot in #2057
• Core: validate truststore on load by @gerardsn in #2028
• Auth: make uzi crl validator cancellable by @gerardsn in #2029
• Update JSON-LD for new authentication means by @woutslakhorst in #2048
• Bump github.com/nats-io/nats-server/v2 from 2.9.15 to 2.9.16 by @dependabot in #2064
• Bump github.com/alicebob/miniredis/v2 from 2.30.1 to 2.30.2 by @dependabot in #2068
• Docs: fix typo in configuration.rst by @gerardsn in #2072
• Fix incorrect URL in v5.2.0 release notes by @reinkrul in #2070
• Start signing session for EmployeeIdentity by @woutslakhorst in #2062
• Bump github.com/hashicorp/vault/api from 1.9.0 to 1.9.1 by @dependabot in #2073
• Extend VerifiablePresentations build options by @woutslakhorst in #2074
• Network: remove autoresolver for node DID by @reinkrul in #2067
• Auth: fix build for selfsigned holder VP by @reinkrul in #2080
• Bump github.com/nuts-foundation/go-did from 0.4.0 to 0.5.1 by @dependabot in #2077
• Bump github.com/avast/retry-go/v4 from 4.3.3 to 4.3.4 by @dependabot in #2078
• Release notes: set v5.2.0 release date by @reinkrul in #2083
• EmployeeIdentity signing means validation by @woutslakhorst in #2075
• Docs: encode + in backup/restore for covenience by @reinkrul in #2082
• PKI: Move default certs to central location by @gerardsn in #2095
• Add certificate blacklist implementation by @beardedfoo in #2044
• Bump github.com/prometheus/client_golang from 1.15.0 to 1.15.1 by @dependabot in #2100
• Bump github.com/redis/go-redis/v9 from 9.0.3 to 9.0.4 by @dependabot in #2097
• Bump golang from 1.20.3-alpine to 1.20.4-alpine by @dependabot in #2099
• Docs: move fs2external to server commands by @gerardsn in #2101
• Docs: add selfsigned means to default contract validators by @gerardsn in #2102
• Bump github.com/prometheus/client_model from 0.3.0 to 0.4.0 by @dependabot in #2106
• Bump go.uber.org/atomic from 1.10.0 to 1.11.0 by @dependabot in #2105
• PKI: softfail when crl or denylist is missing or outdated by @gerardsn in #2104
• Feature/2047 add employeeIdentity signing means by @stevenvegt in #2079
• Bump google.golang.org/grpc from 1.54.0 to 1.55.0 by @dependabot in #2109
• VCR: remove duplicate and conflicting constants by @gerardsn in #2107
• Network: add log message when Reprocess has completed by @gerardsn in #2108
• VCR: Distinguish VP/VC not valid at given time errors by @reinkrul in #2103
• Auth: fix API client generation after self-signed implementation by @reinkrul in #2110
• Didman: make organization search more robust by @reinkrul in https://github....

Hazelnut update (v5.2.2)

Release date: 2023-05-16

• Fixed issue where VDR could no longer update broken DID Documents.
• Reverted VCR API change in which credentialSubject was returned as an array instead of an object.

Full Changelog: v5.2.1...v5.2.2

Hazelnut update (v5.1.1)

Release date: 2023-05-16

• Fixed issue where VDR could no longer update broken DID Documents.

Full Changelog: v5.1.0...v5.1.1